Honeypots mailing list archives
RE: Windows Honeypot Help
From: "David LeBlanc" <dleblanc () Exchange Microsoft com>
Date: Tue, 17 Feb 2004 11:21:23 -0800
-----Original Message----- From: Ted [mailto:padmin () adelphia net] Sent: Monday, February 16, 2004 4:09 AM To: honeypots () securityfocus com Subject: Windows Honeypot Help Hello, Bottom line up front, I'm looking for some kind of script/software combination that will allow me to emulate services and log interaction with those fake services on a Win2k honeypot. Now for some details. I've been wanting to create a honeypot for quite a while now in order to do some personal research on tools and methodologies used by hackers in the wild. Recently, I decided to go ahead and do it. In preperation, I read Lance Spitzner's book and did some research on the net to gain perspective on the various aspects of honeypot development and deployment. [snip] ------------------------------------------------------------- When trying to monitor a Windows system, there's some things to think about that might be helpful - every process has an associated WindowStation. You can find these with EnumWindowStations. WindowStations contain one or more desktops, and every thread is associated with a desktop. If you have enough access rights, you can open the desktops, determine what windows are running on each desktop, and then you can monitor the messages going to these windows. It is your best bet at monitoring something like a terminal server session, or maybe the local console piped out through VNC or perhaps a backdoor. Personally, I'd write a service to do this. This approach won't be much help (I don't think) when dealing with cmd.exe where stdio has been redirected to a socket handle, but it will help with other situations. Hope this helps -
Current thread:
- Windows Honeypot Help Ted (Feb 16)
- Re: Windows Honeypot Help SecurIT Informatique Inc. (Feb 16)
- RE: Windows Honeypot Help sunzi (Feb 17)
- <Possible follow-ups>
- RE: Windows Honeypot Help David LeBlanc (Feb 18)
- RE: Windows Honeypot Help Byron Copeland (Feb 19)
- RE: Windows Honeypot Help Wiles, Sean (Feb 19)
- Re: Windows Honeypot Help SecurIT Informatique Inc. (Feb 16)